Jump to content

Some samples submitted but not processed


Recommended Posts

Eset detects sample 3 as FlyStudio.

The samples not detected that are most concerning are 4 and 5 which have 20+ detection's at VT.

Sample 1 appears to be a hacktool.

Link to comment
Share on other sites

20 minutes ago, itman said:

Sample 1 appears to be a hacktool.

Unless you qualify hacktool as a silent installation of Remote Admin, creating new windows users and sending your network properties to some Chinese email address I wouldnt call it a hacktool :)

Edited by Nevermind
Link to comment
Share on other sites

18 minutes ago, Nevermind said:

Unless you qualify hacktool as a silent installation of Remote Admin, creating new windows users and sending your network properties to some Chinese email address I wouldnt call it a hacktool :)

My posting was based on VT detection comment noting Github YARA sig. detection.

VT analysis shows no outbound connection to known malicious C&C servers from the .msi installer. However, it appears there might be a malicious Excel macro embedded in the .msi installer based on outbound network traffic detection's from the macro. However, detection score is 10/71.

Link to comment
Share on other sites

  • Administrators
2 hours ago, azeu666 said:

This one is corrupted, ie. not subject to detection.

2 hours ago, azeu666 said:

Already detected (VirusTotal will show it detected in 2-3 hours):

1aaf4de53354804892f469dc81af5c889c575c931852cfa7f07b2313c54196b6.exe - a variant of MSIL/GenKryptik.FYZX trojan

Moreover, this one was detected upon execution by an older version with more than 2 year old modules and without Internet connection:

image.png

Link to comment
Share on other sites

I use Endpoint Antivirus for Linux with its inherent limitations (no Pico updates) not Eset Internet Security.  When I scanned the two files with the existing detection engine, the two malware files were not detected.

Also, when I used: https://opentip.kaspersky.com/

and ClamAv using the Yara rule set from open source- https://www.reversinglabs.com/products/open-source-yara-rules

There was no issue in detecting the so-called "This one is corrupted, ie. not subject to detection."

 

 

 

Edited by azeu666
Link to comment
Share on other sites

Another two samples were submitted, but I did not get a reply, and no detection was added.

Sample 1: https://www.virustotal.com/gui/file/4e9ea62b43f207f6bbe7780c4d5258d946de7d31d32975950491897999579c84

Sample 2: https://www.virustotal.com/gui/file/26fcb0b2ee87c249d282c9c922b66b8a5a97d4af19938fa533858bf11913c63b

Also, as I haven't received any reply from ESET Lab since early August, I would like to know whether ESET Lab can actually receive my email submission.

Link to comment
Share on other sites

14 hours ago, AnthonyQ said:

Also, as I haven't received any reply from ESET Lab since early August, I would like to know whether ESET Lab can actually receive my email submission.

Verify; using tracert, etc., you can reach the below listed domains/IP addresses. Assumed is if you can reach one, you can reach all.

Eset_IP_Addresses.thumb.png.54a3201c6bd4ebf63d02e971e8470875.png

Link to comment
Share on other sites

1 hour ago, itman said:

Verify; using tracert, etc., you can reach the below listed domains/IP addresses. Assumed is if you can reach one, you can reach all.

Eset_IP_Addresses.thumb.png.54a3201c6bd4ebf63d02e971e8470875.png

I submitted samples via email, not in-product submission system.

Btw, these two samples are still not detected…

Link to comment
Share on other sites

34 minutes ago, AnthonyQ said:

I submitted samples via email, not in-product submission system.

Are you using G-mail to do so? If this is the case, refer to this posting: https://forum.eset.com/topic/32997-submit-samples-with-gmail/#comment-153347 . BTW - you should be aware of this G-mail issue since you commented in this thread.

If you are not using G-mail for submission, ensure your e-mail request conforms to the following criteria:

Eset_Samples.thumb.png.7064562035ea038df2f753cb4bea700b.png

https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab?ref=esf

Edited by itman
Link to comment
Share on other sites

29 minutes ago, itman said:

Are you using G-mail to do so? If this is the case, refer to this posting: https://forum.eset.com/topic/32997-submit-samples-with-gmail/#comment-153347 . BTW - you should be aware of this G-mail issue since you commented in this thread.

If you are not using G-mail for submission, ensure your e-mail request conforms to the following criteria:

Eset_Samples.thumb.png.7064562035ea038df2f753cb4bea700b.png

https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab?ref=esf

No, I use Outlook mail, the same one I signed up for in this forum.

Link to comment
Share on other sites

2 hours ago, AnthonyQ said:

No, I use Outlook mail, the same one I signed up for in this forum.

Are you sending your e-mail w/sample attached to Eset in plain text format as specified in Eset KB article? Here's how to do so: https://www.lifewire.com/outlook-plain-text-message-1165895 .

Edited by itman
Link to comment
Share on other sites

1 hour ago, itman said:

Are you sending your e-mail w/sample attached to Eset in plain text format as specified in Eset KB article? Here's how to do so: https://www.lifewire.com/outlook-plain-text-message-1165895 .

He submitted samples many times before and got responses too, more or less, so I'm sure he knows how to send. I don't submit a lot, but even in my experience, it has been extremely bad for a while. I've tried different emails too a few times, but it didn't improve the experience much. Besides, I don't remember ESET ever adding phishing sites to their database that I submitted via that dedicated website. I've stopped submitting samples to ESET to not waste my time. Nowadays, the main way to make ESET add detection is to share VT links here on the forum. 

Link to comment
Share on other sites

  • Administrators
38 minutes ago, SeriousHoax said:

I don't remember ESET ever adding phishing sites to their database that I submitted via that dedicated website.

Any example please? Of course if you submit a lot of urls, those must be manually reviewed and opened by an analyst to find out if they are indeed phishing and subject to blocking. If you submit one or a few a time, they should be reviewed and possibly blocked relatively quickly (in 1 - 72 hours).

Link to comment
Share on other sites

As far as reporting phishing web sites, that procedure is also noted in the above linked Eset KB article:

Quote
Submit a fraudulent page (phishing)

If you believe you have deliberately and deceitfully discovered a similar page to another, complete this form to notify us.

Note that Eset now requires a form to be completed and submitted.

Also since the Eset KB article is dated Aug, 10, 2022, it appears that the whole sample submission process has been recently revised.

Edited by itman
Link to comment
Share on other sites

On 8/22/2022 at 1:57 AM, Marcos said:

Any example please? Of course if you submit a lot of urls, those must be manually reviewed and opened by an analyst to find out if they are indeed phishing and subject to blocking. If you submit one or a few a time, they should be reviewed and possibly blocked relatively quickly (in 1 - 72 hours).

I can only say what I experience myself. Talking about malware submission experience, I sent this sample to ESET more than 2 weeks ago on 12 August but neither I have heard back nor a signature has been created yet. LiveGuard gave it a safe verdict, but it's not safe.

e.png.f789fd90efe46068c1258364199bd8cd.png

If possible, please improve the processing of samples submitted by users.

VT link of the sample: VirusTotal - File - d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd

Link to comment
Share on other sites

6 hours ago, SeriousHoax said:

Here's the Hybrid-Analysis analysis of it: https://www.hybrid-analysis.com/sample/d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd?environmentId=120 . It creates a Python based keylogger. It is also VM aware. As such, I am not surprised Eset doesn't detect it.

Edited by itman
Link to comment
Share on other sites

6 hours ago, SeriousHoax said:

I can only say what I experience myself. Talking about malware submission experience, I sent this sample to ESET more than 2 weeks ago on 12 August but neither I have heard back nor a signature has been created yet. LiveGuard gave it a safe verdict, but it's not safe.

This happens when there is ulimited access to a sample queue processed entirely by real ppl :) Btw I dont think virus guys send replies to each such email. Your sample will be detected soon if it is not already.

Link to comment
Share on other sites

  • Administrators
24 minutes ago, Nevermind said:

Btw I dont think virus guys send replies to each such email. Your sample will be detected soon if it is not already.

Correct. The said Python installer sample has been analyzed for several hours already and the analysis is still ongoing and will likely be eventually detected when finished.

Link to comment
Share on other sites

2 hours ago, itman said:

Here's the Hybrid-Analysis analysis of it: https://www.hybrid-analysis.com/sample/d468b56da07173c69423973b706924187e134d0baea07e2ef8e7b49afcd5aacd?environmentId=120 . It creates a Python based keylogger. It is also VM aware. As such, I am not surprised Eset doesn't detect it.

Yeah, it needs to be analyzed manually.

 

40 minutes ago, Nevermind said:

This happens when there is ulimited access to a sample queue processed entirely by real ppl :) Btw I dont think virus guys send replies to each such email. Your sample will be detected soon if it is not already.

I don't need replies as long as submitted samples get added to the database. Well, I have waited 2 weeks which is long enough. Too long I would say.

Link to comment
Share on other sites

  • Most Valued Members
2 hours ago, SeriousHoax said:

Yeah, it needs to be analyzed manually.

 

I don't need replies as long as submitted samples get added to the database. Well, I have waited 2 weeks which is long enough. Too long I would say.

 

2 hours ago, Nevermind said:

This happens when there is ulimited access to a sample queue processed entirely by real ppl :) Btw I dont think virus guys send replies to each such email. Your sample will be detected soon if it is not already.

Yeah the thing is in a world where new viruses appear all the time, while no AV can offer full protection, if a user submits a possible malware it shouldn't take 2 weeks to get detected. If actual malware that could have infected multiple users in the meantime 

Link to comment
Share on other sites

2 hours ago, Marcos said:

The said Python installer sample has been analyzed for several hours already and the analysis is still ongoing and will likely be eventually detected when finished.

For me, this sums up the state of malware detection at Eset.

You have 32/71 VirusTotal vendors detecting it as malicious; first submission there was 8/14. There is at least one respected public cloud sandbox giving it a 100/100 malicious verdict. Yet, Eset VirusLab after hours of behavior observation can't determine if the sample is malicious.

Edited by itman
Link to comment
Share on other sites

Following up on my last posting, I think its time Eset add a new section to Real-time settings titled "Additions." Format for this section would be identical to existing "Detection Exclusions" section with the exception only SHA1 hash value could be entered with no path option specified. Eset real-time scanning would be modified to always check and process entries in "Detection Additions" prior to any other processing.

The above would cover a user until Eset got around to detecting a submitted malware sample.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...